5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.196 Low
EPSS
Percentile
96.3%
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551,
2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows
remote attackers to cause a denial of service (CPU and memory
consumption) a crafted XML document containing an empty string
in an entity that is used in a large number of nested entity
references, aka an XML Entity Expansion (XEE) attack.
NOTE: this vulnerability exists because of an incomplete
fix for CVE-2013-1821 and CVE-2014-8080.